enabling the ignore-scripts npm config
Closed this issue · 0 comments
psimk commented
Introduction
Since e3e4174, each template contains a npmrc file (converted to .npmrc once create-pota has converted the template into a project). As part of the security effort, we want to add and enable the ignore-scripts to that npm config file, so our projects are protected from malicious dependencies running unwanted scripts on our machines.
This change however, will make it less convenient for developers, as they will now have to run multiple scripts after npm install, so we should make sure to document exactly what they need to run and automate what we can.
Tasks
templates/
This generally involves some configuration, documentation and a bit of investigation into the dependencies - a good warmup.
- add
ignore-scripts = trueto each templates'npmrc - add
postinstalltopackage.json, let it be empty by default- document this in the
README.md
- document this in the
- investigate if any dependencies need to run scripts
- add them to the
postinstall
- add them to the
scripts/
- investigate if any dependencies need to run scripts
- add them to the
postinstall - document this in the
README.md
- add them to the
create-pota/
This is where the above comes together.
- detect if the used
templatehas any scripts- inform the user that they need to run them after
postinstall
- inform the user that they need to run them after
- if a script is being installed, add its
postinstallto thepostinstallof the newly created project- (e.g.
npm run postinstall --prefix=node_modules/@pota/webpack-scripts)
- (e.g.